Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509/pkix: FillFromRDNSequence does not preserve multi-value RDNs #23069

Open
ramoas opened this issue Dec 9, 2017 · 3 comments
Open

crypto/x509/pkix: FillFromRDNSequence does not preserve multi-value RDNs #23069

ramoas opened this issue Dec 9, 2017 · 3 comments

Comments

@ramoas
Copy link

@ramoas ramoas commented Dec 9, 2017

What version of Go are you using (go version)?

This issue affects Go 1.8 and later as a consequence of 809a1de to fix #16836 (and #12342).

Prior to Go 1.8 and that change, Go did not process multi-value RDNs -- it always assumed just one attribute and value (the first) per RDN.

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

The OS and architecture should not matter.

What did you do?

https://play.golang.org/p/7OIuhautCe

What did you expect to see?

The multi-value nature of any RDN is preserved. That is, the length of the subject (and issuer) RDNSequence before pkix.FillFromRDNSequence and after pkix.ToRDNSequence should match.

What did you see instead?

The multi-value nature of any RDN is not preserved by pkix.FillFromRDNSequence. That is, the length of the subject (and issuer) RDNSequence before pkix.FillFromRDNSequence and after pkix.ToRDNSequence do not match.

As previously noted in comments on 809a1de, the original Gerrit CR, and #12342, if this will not be fixed, then the behavior should be documented at a minimum.

@ianlancetaylor

This comment has been minimized.

Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Jun 29, 2018

@rsc

This comment has been minimized.

Copy link
Contributor

@rsc rsc commented Aug 17, 2018

Clearly missed for Go 1.11.

@rsc rsc modified the milestones: Go1.11, Go1.12 Aug 17, 2018
@rsc rsc modified the milestones: Go1.12, Go1.13 Nov 28, 2018
@rsc rsc added the early-in-cycle label Nov 28, 2018
@andybons andybons modified the milestones: Go1.13, Go1.14 Jul 8, 2019
@FiloSottile

This comment has been minimized.

Copy link
Member

@FiloSottile FiloSottile commented Sep 30, 2019

This is bad, also because it will lead to a parse-serialize cycle returning a semantically different result, but I can't see how to fix this without making a whole new set of APIs, which is not an option for such rare certificates.

Unless anyone has any better idea, we should just document this behavior, maybe in FillFromRDNSequence.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
7 participants
You can’t perform that action at this time.